hazelcast · kutluhanmetin · Nov 6, 2024 · Nov 7, 2024 · Nov 28, 2024 · Nov 28, 2024
@@ -0,0 +1,12 @@
+apiVersion: hazelcast.com/v1alpha1
+kind: ManagementCenter
+metadata:
+  name: managementcenter-sample
+spec:
+  repository: 'hazelcast/management-center'
+  version: '{page-latest-supported-mc}'
+  hazelcastClusters:
+    - address: hazelcast-sample
+      name: dev
+      security:
+        clientSecretName: user1-secret
@@ -56,6 +56,8 @@
 * Security
 ** xref:tls.adoc[Configure TLS]
 ** xref:authorization.adoc[Authorization Methods to Access Cloud Storage]
+** Configuring Client Authentication
+*** xref:client-auth.adoc[Simple Authentication]
 
 * Compute
 ** xref:user-code-deployment.adoc[User Code Deployment]

@@ -0,0 +1,129 @@
+= Client Authentication and Authorization
+
+Use the Hazelcast Platform Operator to configure xref:hazelcast:security:authentication-overview.adoc[Client Authentication] and xref:hazelcast:security:client-authorization.adoc[Client Authorization].
+
+== Simple Authentication
+
+You can easily use xref:hazelcast:security:simple-authentication.adoc[Hazelcast Simple Authentication] by making minimal changes in the original configuration.
+
+For example:
+
+[source,yaml]
+----
+security:
+  enabled: true
+  realms:
+    - name: simpleRealm-clients
+      authentication:
+        simple:
+          users:
+          - secretName: user1-secret
+            roles:
+              - admin
+          - secretName: user2-secret
+            roles:
+              - monitor
+              - application
+  client-authentication:
+    realm: simpleRealm-clients
+  client-permissions:
+    all:
+      principal: admin
+      endpoints:
+        - 127.0.0.1
+    map:
+      - name: playground
+        actions:
+          - all
+      - name: accounts
+        principal: monitor
+        actions:
+          - read
+      - name: accounts
+        principal: application
+        endpoints:
+          - 192.168.1.*
+          - 192.168.2.*
+        actions:
+          - create
+          - destroy
+          - put
+          - read
+          - remove
+          - lock
+----
+
+This can be converted as:
+
+[source,yaml]
+----
+apiVersion: hazelcast.com/v1alpha1
+kind: Hazelcast
+metadata:
+  name: hazelcast
+spec:
+    security:
+        operatorClientSecretName: user1-secret
+        realms:
+          - name: simpleRealm-clients
+            authentication:
+              simple:
+                users:
+                - secretName: user1-secret
+                  roles:
+                    - admin
+                - secretName: user2-secret
+                  roles:
+                    - monitor
+                    - application
+        clientAuthentication:
+          realm: simpleRealm-clients
+        clientPermissions:
+          all:
+            principal: admin
+            endpoints:
+              - 127.0.0.1
+          permissions:
+            map:
+              - name: playground
+                actions:
+                  - all
+              - name: accounts
+                principal: monitor
+                actions:
+                  - read
+              - name: accounts
+                principal: application
+                endpoints:
+                  - 192.168.1.*
+                  - 192.168.2.*
+                actions:
+                  - create
+                  - destroy
+                  - put
+                  - read
+                  - remove
+                  - lock
+----
+
+Required Changes:
+
+* `security.enabled` should be removed.
+* convert kebab cases to camel cases:
+** `client-authentication` -> `clientAuthentication`
+** `client-permissions` -> `clientPermissions`
+* add `permissions` node to `clientPermissions` to wrap permissions other than `all`.
+
+NOTE:  The `operatorClientSecretName` is a mandatory field required for the Operator to establish a connection with the Hazelcast cluster. The given user in the `operatorClientSecretName` field must have a role that has all the client permissions. Otherwise, the Operator will fail with a validation error.
+
+=== Management Center Configuration
+
+As the Management Center serves as a client of the Hazelcast cluster, it must be properly configured to connect to the cluster. The `security.clientSecretName` field in the `hazelcastClusters` section is utilized for this configuration.
+
+.Management Center Simple Authentication Example
+[source,yaml,subs="attributes+"]
+----
+include::ROOT:example$/management-center-simple-auth.yaml[]
+----
+
+NOTE: The given user in the `clientSecretName` field have a role that has all the client permissions.
@@ -13,31 +13,10 @@ To use the Custom Config as a method of configuring the Hazelcast cluster, you n
 ConfigMap::
 +
 --
-[source,yaml]
-```
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: custom-config-cm
-data:
-  hazelcast: |-
-    security:
-      enabled: true
-      realms:
-      - name: simpleRealm
-        authentication:
-          simple:
-            users:
-            - username: operator
-              password: 'op-pass'
-              roles:
-              - root
-      client-authentication:
-        realm: simpleRealm
-      client-permissions:
-        all:
-          principal: root
-```
+[source,shell]
+----
+kubectl create configmap custom-config-cm --from-file=<path-to-file>
+----
 
 The name of the `ConfigMap` should be set to the Hazelcast CR's `customConfigCmName` field.
 
@@ -56,15 +35,9 @@ spec:
 Secret::
 +
 --
-[source,yaml]
+[source,shell]
 ```
-apiVersion: v1
-kind: Secret
-metadata:
-  name: custom-config-secret
-data:
-  hazelcast: c2VjdXJpdHk6CiAgZW5hYmxlZDogdHJ1ZQogIHJlYWxtczoKICAtIG5hbWU6IHNpbXBsZVJlYWxtCiAgICBhdXRoZW50aWNhdGlvbjoKICAgICAgc2ltcGxlOgogICAgICAgIHVzZXJzOgogICAgICAgIC0gdXNlcm5hbWU6IG9wZXJhdG9yCiAgICAgICAgICBwYXNzd29yZDogJ29wLXBhc3MnCiAgICAgICAgICByb2xlczoKICAgICAgICAgIC0gcm9vdAogIGNsaWVudC1hdXRoZW50aWNhdGlvbjoKICAgIHJlYWxtOiBzaW1wbGVSZWFsbQogIGNsaWVudC1wZXJtaXNzaW9uczoKICAgIGFsbDoKICAgICAgcHJpbmNpcGFsOiByb290Cgo=
-
+kubectl create secret generic custom-config-secret --from-file=<path-to-file>
 ```
 
 The name of the `Secret` should be set to the Hazelcast CR's `customConfigSecretName` field.
@@ -86,47 +59,6 @@ spec:
 
 The Custom Config is not designed as an alternative to the Hazelcast CR configuration, and it is not recommended to use it as the main source of the configuration. That said, Custom Config can and should be used together with the Hazelcast CR configuration.
 
-[source,yaml]
-```
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: custom-config-cm
-data:
-  hazelcast: |-
-    security:
-      enabled: false
-      realms:
-        - name: simpleRealm
-          authentication:
-            simple:
-              users:
-                - username: dev
-                  password: 'secret'
-                  roles:
-                    - root
-```
-
-[source,yaml]
-```
-apiVersion: hazelcast.com/v1alpha1
-kind: Hazelcast
-metadata:
-  name: hazelcast
-spec:
-  customConfigCmName: custom-config-cm
-  userCodeDeployment:
-    bucketConfig:
-      secretName: br-secret-gcp
-      bucketURI: "gs://operator-custom-class/executorService"
-  executorServices:
-    - name: service1
-  durableExecutorServices:
-    - name: service2
-  scheduledExecutorServices:
-    - name: service3
-```
-
 The configuration from the Hazelcast CR and the Custom Config will be merged into one structure that will be used as the Hazelcast member configuration.
 If the same feature is configured with Custom Config `ConfigMap` and in the Hazelcast CR, the configuration from the Hazelcast CR will take precedence and will override the one from the Custom Config.
 
@@ -154,4 +86,4 @@ The Hazelcast Platform Operator communicates with the Hazelcast cluster, requiri
 
 === Security configuration
 
-When configuring `security` with enabled `client-authentication`, you must provide a user with `all` permissions and a simple authentication method. The client and the operator will use this user to connect to and manage the cluster.
+The security configuration is not accessible through custom configuration. To configure xref:client-simple-auth.adoc[Simple Authentication] use `Security` section of the Hazelcast CR.